proof of concept

src/kprop/kprop.c

@@ -526,6 +526,7 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
         exit(1);
     }
 
+    krb5_auth_con_setaddrs(context, auth_context, NULL, NULL);
     retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL);
     if (retval) {
         com_err(progname, retval,

src/kprop/kpropd.c

@@ -1228,19 +1228,6 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp,
         exit(1);
     }
 
-    /*
-     * Do not set a remote address, to allow replication over a NAT that
-     * changes the client address.  A reflection attack against kpropd is
-     * impossible because kpropd only sends one message at the end.
-     */
-    retval = krb5_auth_con_setaddrs(context, auth_context, receiver_addr,
-                                    NULL);
-    if (retval) {
-        syslog(LOG_ERR, _("Error in krb5_auth_con_setaddrs: %s"),
-               error_message(retval));
-        exit(1);
-    }
-
     if (keytab_path != NULL) {
         retval = krb5_kt_resolve(context, keytab_path, &keytab);
         if (retval) {
@@ -1443,6 +1430,14 @@ recv_database(krb5_context context, int fd, int database_fd,
     if (debug)
         fprintf(stderr, _("Full propagation transfer finished.\n"));
 
+    retval = krb5_auth_con_setaddrs(context, auth_context, receiver_addr,
+                                    NULL);
+    if (retval) {
+        syslog(LOG_ERR, _("Error in krb5_auth_con_setaddrs: %s"),
+               error_message(retval));
+        exit(1);
+    }
+
     /* Create message acknowledging number of bytes received, but
      * don't send it until kdb5_util returns successfully. */
     database_size = htonl(database_size);